aws.hostedzone¶
Filters¶
query-logging-enabled¶
Parent base class for filters and actions.
properties:
state:
type: boolean
type:
enum:
- query-logging-enabled
required:
- type
Permissions - route53:GetQueryLoggingConfig, route53:GetHostedZone, logs:DescribeSubscriptionFilters
shield-enabled¶
Base class with helper methods for dealing with ARNs of resources protected by Shield
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:ListProtections
Actions¶
delete¶
Action to delete Route 53 hosted zones.
It is recommended to use a filter to avoid unwanted deletion of R53 hosted zones.
If set to force this action will wipe out all records in the hosted zone before deleting the zone.
- example:
policies:
- name: route53-delete-testing-hosted-zones
resource: aws.hostedzone
filters:
- 'tag:TestTag': present
actions:
- type: delete
force: true
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - route53:DeleteHostedZone
rename-tag¶
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-query-logging¶
Enables query logging on a hosted zone.
By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.
Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.
This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.
Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention
- example:
policies:
- name: enablednsquerylogging
resource: hostedzone
region: us-east-1
filters:
- type: query-logging-enabled
state: false
actions:
- type: set-query-logging
state: true
properties:
log-group:
default: auto
type: string
log-group-prefix:
default: /aws/route53
type: string
set-permissions:
type: boolean
state:
type: boolean
type:
enum:
- set-query-logging
required:
- type
Permissions - route53:GetQueryLoggingConfig, route53:CreateQueryLoggingConfig, route53:DeleteQueryLoggingConfig, logs:DescribeLogGroups, logs:CreateLogGroup, logs:GetResourcePolicy, logs:PutResourcePolicy
set-shield¶
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
Permissions - shield:CreateProtection, shield:ListProtections